title: Remote Desktop Protocol (T1021.001)
id: df00tech-t1021-001
status: experimental
description: "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). RDP is a common feature in Windows that allows interactive graphical sessions on remote systems. Threat actors including Kimsuky, INC Ransom, Volt Typhoon, Wizard Spider, BlackByte, Akira, and FIN7 have all leveraged RDP for lateral movement. Adversaries typically acquire credentials via Credential Access techniques, then use RDP to expand access to additional systems, deploy ransomware interactively, or establish persistence via Accessibility Features."
references:
  - https://attack.mitre.org/techniques/T1021/001/
  - https://df00tech.com/detections/T1021.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators performing legitimate remote administration of servers and workstations via RDP
  - "Help desk staff using RDP to support end users, especially from a central jump server or bastion host"
  - "Automated monitoring or patch management tools (e.g., SCCM) that connect via RDP for maintenance"
  - VPN-connected remote workers whose source IP appears external to network monitoring systems
  - Vendor remote support sessions initiated under approved change tickets
level: high